by Randy Starr, Jim Newfrock, and Michael Delurey from strategy+business issue30, spring 2003 strategy+business strategy+business magazine is published by Booz Allen Hamilton Inc. To subscribe, visit www.strategy-business.com or call 1-877-829-9108 s t r a t e g y + b u s i n e s s i s s u e 3 0 Two companies; same crisis; vastly different responses and outcomes. A Nordic telecommunications company and its pri- mary competitor, another European telecom manufac- turer, both depended on the same Koninklijke Philips Electronics NV semiconductor plant in New Mexico for chips to power their mobile phones. But when a fire broke out at the factory in March 2000, the supply chain was disrupted. The Nordic companys officials noticed the prob- lem even before being told that a plant had gone down. Its chief supply troubleshooter immediately put togeth- er a team of 30 supply chain experts to fan out across Europe, Asia, and the U.S. to patch together a solution. They redesigned chips, accelerated a project to boost production, and used the companys clout to obtain more chips from other suppliers. The other company, with fewer fail-safe and troubleshooting systems built into its supply network, came up millions of chips short of the supply needed to launch a critical new product. The result, according to the Wall Street Journal: The Nordic companys market share grew by 3 percent; the competitors dropped by the same amount. Before long, the other company withdrew from the handset market. This stark tale of gain and loss underscores a new operating reality confronting companies everywhere: Drivers of earnings, definitions of risk, underlying risk interdependencies, and ways to manage them have changed. Firms generally have thought of risk as the downside hazard to their financial portfolios and have I l l u s t r a t i o n
b y
D a v i d
P l u n k e r t Understanding interdependencies and planning for discontinuities is the path to corporate agility. c o n t e n t m a n a g e m e n t 1 by Randy Starr, Jim Newfrock, and Michael Delurey Enterprise Resilience:: Managing Risk in the Networked Economy c o n t e n t m a n a g e m e n t 71 c o n t e n t m a n a g e m e n t 3 s t r a t e g y + b u s i n e s s i s s u e 3 0 concentrated their risk management efforts on hedging their portfolios against loss. But the Nordic companys success in weathering a potentially debilitating disrup- tion to its supply chain, and ultimately gaining compet- itive advantage from its efforts, shows that companies can profit by adopting a broader understanding of and more comprehensive processes for managing risk across the extended enterprise in an increasingly complex glob- al economy. In doing so, they establish greater enterprise resilience (ER). In this article, we detail the differences between conventional enterprise risk management and enterprise resilience, and explain why a keen understanding of the distinction is essential today, when the boundaries of every major corporation have expanded, increasing a companys vulnerabilities and its potential for competi- tive advantage. We also identify how senior executives can assess their organizations resilience profile and risk management approach. And we explain how corporate managers can align risk mitigation strategies with the most significant earnings-driver risks, and close danger- ous gaps in their companys resilience profile. The Adaptation Imperative Enterprise resilience is the ability and capacity to with- stand systemic discontinuities and adapt to new risk environments. A resilient organization effectively aligns its strategy, operations, management systems, gover- nance structure, and decision-support capabilities so that it can uncover and adjust to continually changing risks, endure disruptions to its primary earnings drivers, and create advantages over less adaptive competitors. A resilient organization establishes transparency and puts in place controls for CEOs and boards to address Randy Starr (starr_randy@bah.com) is a principal in Booz Allen Hamiltons New York office. He specializes in combining busi- ness and technology strategy with market insights to imple- ment growth strategies and new business models. Jim Newfrock (newfrock_jim@bah.com) is a senior director and treasurer with Booz Allen Hamilton in New Jersey. He is responsible for global risk management at the firm and specializes in the interplay of business strategy and enterprise risk. Michael Delurey (delurey_mike@bah.com) is a principal with Booz Allen Hamilton in Virginia. He spe- cializes in strategic planning, policy analysis, and policy development for government clients with a focus on com- plex network analysis and crit- ical infrastructure protection. risks across the extended enterprise. It can withstand improper or fraudulent employee behavior, IT infra- structure failures, disruptions of interdependent supply chains or customer channels, intellectual property theft, adverse economic conditions across markets, and the myriad other discontinuities companies face today. Establishing greater resilience is especially necessary in the current economic and security environment, which poses a new set of challenges to executives and boards. The openness and complexity of todays extend- ed enterprise increases the firms dependence on a glob- al financial, operational, and trade infrastructure. Although that provides for greater efficiency and effec- tiveness, it also exposes most companies to risks that were unfamiliar during the era of national markets and the vertically integrated enterprise and compounds the effect of conventional business risks. Whats more, the legal and regulatory landscape has undergone significant change since the September 11, 2001, terrorist attacks and the accounting and gover- nance scandals in the United States, raising the level of diligence stakeholders expect from senior executives, boards of directors, and board audit committees in ensuring the safety and continuity of the enterprise. The July 2002 United States National Strategy for Homeland Security recommends that industry sectors and corresponding government agencies responsible for critical infrastructure protection develop national infra- structure assurance plans that bridge the public and private sectors. The Sarbanes-Oxley Act of 2002 has tightened boards of directors audit committee responsibilities, imposed new CEO and CFO certifica- tion requirements, and raised the standard of care obli- gations on management dramatically. The Basel II Accord commits financial-services institutions to set aside larger capital reserves against possible future oper- ational disruptions. Guided by these and other requirements, under- writers of risk, such as insurance, equity, and debt mar- kets, will more aggressively distinguish between those businesses that are resilient and those that are not. To maintain earnings consistency and preserve and grow shareholder value, chief executives and board members need the capacity to sense and respond effectively to increasingly complicated levels of risk risks that can- not necessarily be transferred through conventional means, such as insurance. Interdependence Risk Our emphasis on the importance of earnings consisten- cy matches that of the capital markets. A companys fate is determined by its ability to generate a reliable pattern of earnings growth. Companies that reduce earnings volatility and lower the probability of large losses are rewarded by financial markets with less expensive and better access to capital. Whats more, markets place consistency premiums on the stock valuations of com- panies that both promise and produce a steady pattern of increasing profits. The business activities that enable the firm to gain a competitive advantage and sustain growth vary across both industries and companies. For some, manufactur- ing facilities represent the core earnings driver; for oth- ers, IT networks, customer support operations, supply chains, intellectual property, or a combination thereof power earnings. Traditionally, risks have not been per- ceived in the context of key earnings drivers, but rather in broad categories, each of which was managed in a functionally isolated way. Thus, financial risk became the province of the CFO, operations risk the responsi- bility of the COO, and network security the task of the CIO. Rarely do they or their business continuity or security programs link together in support of strategic objectives. Senior executives have understandably renewed their attention to conventional risk mitigation pro- grams. Seventy-five percent of Fortune 1000 CEOs sur- veyed by RoperASW on behalf of Booz Allen Hamilton in late 2001 expressed increased concern about such day-to-day activities as mail processing, travel, protec- tion of employees, and protection of infrastructure. But by defining risk and security narrowly as the protection of personnel, plant, data, and financial position, CEOs and boards overlook the more prevalent perils they face conducting business in a networked global economy. Networks are one of the great advances in industri- al organization. Over the course of the last half century, the vertically integrated company has given way to the networked enterprise, an organizational structure char- acterized by greater agility and adaptability. Successful firms today must deal with intertwined layers of infor- mation, raw materials, analytical data, customer com- munication and service, and network infrastructure at unprecedented speed while maintaining countless secure relationships with third-party organizations, such as suppliers, technology outsourcers, and government regulators. The diversity of networks in business and the economy is mind-boggling, writes Albert-Lszl Barabsi, the physicist and author of Linked: The New Science of Networks (Perseus Publishing, 2002). There are policy networks, ownership networks, collaboration networks, organizational networks, network marketing you name it. Diagnose Your Enterprise Resilience: Eight Fundamental Questions Are the complexity of the extended enterprise and major earnings drivers across it transparent? Are interdependencies understood and interdepend- ence risks identified? What programs are in place to ensure the viability of earnings drivers? Are these programs fully aligned with corporate strategy and objectives, and do we understand the trade-offs within these programs? Do we know what we spend on resilience? How good is our situational awareness that is, do we have enough business intelligence, internal and external, and is it directed to the appropriate parties? Do we distill such intelligence properly and in a time- ly enough fashion to react to it? Who is accountable for resilience, and how do we make decisions and measure progress? 1 2 3 4 5 6 7 8 c o n t e n t m a n a g e m e n t 5 s t r a t e g y + b u s i n e s s i s s u e 3 0 Yet while the organizational and economic impact of networks is well known, their vulnerabilities remain largely unexplored by businesses. The reliance on open borders, transnational alliances, and global markets for capital, goods, and services has generated a just in time economy, which, although remarkably cost-efficient, leaves companies open to a range of discontinuities that can affect operations, reputation, customer habits, legal standing, regulatory compliance, earnings performance, and ultimately shareholder value. We call these new vul- nerabilities, collectively, interdependence risk, and define it as unanticipated risk exposure across the extended enterprise that is beyond an individual organi- zations direct control. Examples of interdependence risk include supply chain disruption, government interven- tion, and public infrastructure destruction. The scale and impact of a disruptive event is a func- tion of the relative importance of the dislocated entity and the degree of its integration into a broader extend- ed enterprise. A problem that appears localized could ripple across an extended enterprise, an industry sector, or even a national or multinational economy. The capac- ity to withstand such disruptions is a function of a firms systemic resilience its ability to understand its inter- dependencies, and to foresee and plan around disconti- nuities that can occur within them. Interdependencies have grown not only within the private sector. Governments and industries are increas- ingly dependent on each other at a level of intricacy not seen in the United States, at least since World War II. The National Strategy for Homeland Security calls for the development of protection plans in 14 critical infrastructure sectors (such as energy, telecommunica- tions, defense industrial base, and banking and finance); although private industry overwhelmingly owns and operates these sectors, government and business must collaborate to develop and implement the assurance plans. One current publicprivate sector partnership model is the National Security Telecommunications Advisory Committee (NSTAC), which supports the Office of the President in addressing telecommunica- tions issues vital to U.S. national security and emergency preparedness needs. The stakes in such collaboration can be enormous. A war game, cosponsored by Booz Allen with the Council for Excellence in Government in December 2001, and designed to model the effects of an intentional release of pneumonic plague in multiple metropolitan locations, found that casualties would be dramatically reduced by cross-sector knowledge-sharing mechanisms. Interdependence risk within the private sector or across the public and private spheres underlies many recent reports of operating loss. Consider what hap- pened in September 2002 when a labor dispute shut down West Coast ports for several weeks. As critical sup- ply chains stopped functioning normally, severely con- straining manufacturing and product replenishment, U.S. companies lost an estimated $1 billion per day. The events highlighted the interdependencies among ship- ping companies, supply chainintensive industries, con- tract logistics providers, and government agencies. ER vs. ERM Risk management models have not kept pace with the shift from centralized to networked organizations. In military terminology, most enterprise risk management (ERM) programs rely on point solutions, which attempt to moderate risks by hardening potentially vulnerable spots against attacks, a futile exercise in a net- worked enterprise. An organization cannot simultane- ously harden all the nodes within its network; threats will just migrate from a hardened node to more vulner- able points. Military strategy has long since adapted to this new understanding. In the early 1990s, when the U.S. Department of Defense recognized that its war- Exhibit 1: Companies Are Not Prepared to Recover from Major Disruptions More than 75% of respondents say a major disruption to their top earnings driver would either cause sustained damage to their firms earnings or threaten its continuity of operations. Fewer than 25% of respondents believe their current risk management efforts sufficiently address key areas of contingency planning. More than 33% of respondents say their companys senior management lacks a thorough understanding of the impact a major disruption would have on their company and the firms level of preparation for a major disruption. Many senior executives still fail to recognize risk management as a priority. Improved communication among key stakeholders about risks and contingency planning is needed. Source: Protecting Value Study, 2002. A survey of 199 financial executives and risk managers at Fortune 1000 firms in a variety of industries, sponsored by FM Global, the National Association of Corporate Treasurers, and Sherbrooke Partners. www.protectingvalue.com c o n t e n t m a n a g e m e n t 6 fighting doctrine of information superiority increased its dependence on networked communications systems, it transitioned from the traditional risk management technique of hardening every node to a defense in depth model, which uses a layered approach to security. Directors and senior managers, many of whom are faced with analogous challenges, have not followed suit. In a recent survey of Fortune 1000 CFOs, treasurers, and risk managers by the National Association of Corporate Treasurers and other organizations, three- quarters of respondents agreed that a major disruption to their top earnings driver would either cause sustained damage to their companys earnings or threaten business continuity. Yet fewer than one-quarter of respondents said their current risk management efforts sufficiently anticipate a wide variety of potential large-loss events. (See Exhibit 1.) In pursuing strategic objectives, boards and CEOs must factor into their decision making the trade-offs involved in selecting one risk alternative over another. Conventional ERM programs certainly help focus exec- utives and directors on the nature of specific vulnerabil- ities, and they can provide partial frameworks to help firms protect potentially weak links from low-probabili- ty catastrophic risks. But they do not fully prepare com- panies for the discontinuities that can jeopardize earn- ings drivers. Conventional enterprise risk management fails to account for interdependencies across vertical and horizontal corporate operations and thus tends to underestimate the range and severity of risks faced by the firm. Such network discontinuities can accumulate exponentially and often spiral out of control, subjecting a company to levels of loss without modern precedent. So Barings Bank learned when the actions of a single trad- er in Singapore destroyed the centuries-old institution. In sharp contrast to traditional ERM, enterprise resilience planning advances a companys speed and flex- ibility by crafting an integrated first line of defense and an offensive strategy to guard the entire extended enter- prise against new, unavoidable risks that are the by- products of interdependent operations. ER results from a planned series of safeguards against discontinuities encompassing everything from logistics, inventory con- trol, and distribution channels to relations with govern- ment agencies, customers, and suppliers. Unlike enter- prise risk management programs, which tend to focus only on how major categories of corporate risk interact at a tactical level, ER planning better aligns risk man- agement activity and spending with the most funda- mental components of corporate strategy and perform- ance: corporate growth and profit drivers, earnings con- sistency, and shareholder value. Resilient organizations are sensing, agile, networked, and prepared. They think ahead to even the most outrageous possibilities, training themselves, as the Harvard Business Review put it, how to survive before the fact. (See Diagnose Your Enterprise Resilience: Eight Fundamental Questions, page 4.) ER planning begins with the identification of the greatest risks across the enterprise, including interdepen- dencies, and then generates a targeted program, inte- grated with overall corporate strategy, for mitigating these risks. ER is a continuous process that creates the ability to adjust readily to new risks and opportunities, based on the strategic priorities and operational tempo of the business. It enables executives and managers to make educated trade-off decisions when they develop a risk mitigation strategy, balancing the costs and benefits Network discontinuities accumulate exponentially and often spiral out of control, subjecting companies to levels of loss without precedent. War-Gaming and Resilience Planning Frequently conducted in conjunction with an enterprise resilience audit, war-gaming is an effective tool for understanding a companys or an industrys resilience posture. These strategic simulations use mock crises to gauge how well executives and staff are prepared to face serious business discontinuities. The most effective war games occur over two days and involve a series of crisis simulations in which critical components of a companys or an industrys resilience are tested with players from different, yet related, stakeholder groups. Through a real- time simulation with one group making a move, and others respond- ing, action by action vulnerabilities can be exposed and mitigation strate- gies developed. For example, Booz Allen Hamilton and the Conference Board sponsored a port security war game in October 2002, just after West Coast ports in the U.S. were shut by a labor action. Participants included representatives from government agencies, supply chainintensive industries, and con- tract logistics providers. The war game simulated an unanticipated clo- sure of shipping ports after several dirty bombs were found in contain- ers shipped to U.S. ports. The exercise found that companies reliant on the ports would likely have to sacrifice just-in-time efficiency to some degree, and replace it with a more robust just-in-case supply pipeline. With such insights, companies can attempt to find the necessary balance between just-in-time production and just-in-case resilience, and to answer crucial questions: What would be the effect on earnings if we stockpiled three weeks of supply? Are there innovative ways to create these reserves besides paying for them out- right? What loss would insurance cover? What are the projected costs of alternative shipping versus stock- piling? How well do we understand whom to call and what to do during such an event? How prepared are we to communicate mediation steps? War-gamings greatest value is that it exposes ideas that participants dont realize they have and uncovers solutions that are not apparent. Additionally, war-gaming forces organizations to think differently, to examine the validity of their assump- tions about systemic risks. For exam- ple, the port security war game uncov- ered the critical fact that companies must consider security a strategic and necessary element of global trade resilience. Another insight was that local and national publicprivate part- nerships are essential to finding an effective global port security solution. When war games include participants from interdependent companies or involve a mix of private-sector and public-sector players, consensus can be forged on the need for collective action, and the action plan itself can take shape. R.S., J.N., and M.D. s t r a t e g y + b u s i n e s s i s s u e 3 0 to meet overall risk management targets and improve earnings consistency. There are three essential steps to becoming a resilient enterprise: Diagnose enterprise-wide risk and interdependencies. A company must first define its extended enterprise and determine its earnings drivers. Once this is achieved, a transparent and consolidated view of risks across the extended enterprise can be developed, helping execu- tives to understand the companys network interdepen- dencies. After the enterprise is mapped, a baseline view of risk mitigation plans and spending can be developed to identify gaps and prioritize risk mitigation objectives. The resilience diagnostic should yield quick-hit oppor- tunities associated with critical risks that management must address in the near term. Adapt corporate strategy and operating model. The enterprise should use cost-benefit analysis that links cross-functional risk mitigation planning to corporate strategy. Equally important, the CEO and board must adopt a common risk management and resiliency vocab- ulary that is comprehensible and intuitive to all, enabling executives and directors to understand a com- panys risk exposure and to make trade-off decisions in implementing risk mitigation strategies while pursuing strategic objectives. Endure increased risk and complexity. This step involves developing an organizational structure that oversees and integrates business intelligence and risk monitoring for the extended enterprise; has the analyti- cal tools and support capabilities to improve decision making and responses to risk as it changes; can measure risk mitigation with clearly defined benchmarks; can monitor the organizations resilience profile; and can implement best-practice risk mitigation solutions. The resilient organization, through an enhanced sensing c o n t e n t m a n a g e m e n t 7 c o n t e n t m a n a g e m e n t 8 capability, integrates business intelligence to improve sit- uational awareness. The ER Audit As an initial step to building enterprise resilience, com- panies can apply a comprehensive, three-phase ER audit procedure that can aid senior management teams in developing integrated risk mitigation programs ground- ed in a companys real needs and built around its actual earnings drivers. Step One: Enterprise Topology and Earnings-Driver Classification. In the diagnostics first stage, the firm should identify its key earnings drivers and their associ- ated risks. (See Exhibit 2.) This should be done by mapping the extended enterprise and drawing a consolidated and transparent picture of how the company organizes systems, process- es, and relationships inside and outside its walls to generate revenue and profits. The company must distin- guish the earnings drivers themselves; the business processes, capabilities, and technologies that support them; and their vulnerabilities. To accomplish this, interviews are held with corporate decision makers and key management staff in all functional domains. Relationships among customers, partners, and suppliers are explored; IT network safeguards inventoried; and assets charted. Step Two: Resilience Profiling and Baselining. After plotting the earnings drivers, the firm should use mod- eling tools and best practices in enterprise design to produce initial snapshots of an enterprises resilience profile for each essential aspect of a company: financial, operations, technology, personnel, and security. Then the companys existing profile should be compared with an optimal level of resilience a to be state in each of these operations. The firms current risk mitigation plans, procedures, and costs, including business continuity and security programs, are examined in this phase. The intent is to determine how the current programs and the spending on them align with the earnings drivers identified in phase one. Both explicit and implicit risk mitigation spending must be baselined. Such spending includes costs associated with known security, business continu- ity, and disaster recovery programs, as well as costs asso- ciated with security, continuity, and recovery that are buried in budgets for departments or functions, such as IT or marketing. War-gaming is a particularly useful exercise in doing such advanced resilience profiling. (See War-Gaming and Resilience Planning, page 7.) A vital part of this phase is the development of an interdependency map to identify interdependence risks across the extended enterprise hazards to earn- ings drivers that may result from unanticipated regula- tory action, changes in supplier relationships, problems at clients, or other externalities. The baselining exercise also seeks to understand how market trends and corpo- rate strategies will influence earnings drivers in the future. For example, a consumer goods manufacturer might discover that the business unit managing logistics between the factory and retailers for the companys flag- ship Product A is unaware of a new distribution chain developed by the team overseeing up-and-coming Product B. These redundant distribution channels could leave the manufacturer vulnerable because the delivery of two critical products would be interrupted simultane- ously if the supply chain network sustained a disruption. Such profiling and baselining helps identify gaps between existing risk mitigation programs and identifi- able needs, allowing management to visualize at a glance weaknesses and strengths in the firms current risk expo- sure and resilience posture. This impact analysis can identify areas for new investment and disinvestment. For example, a major retailer with state-of-the-art just- in-time inventory systems that require continual data inflows to determine how to stock shelves could be financially crippled if a disruption were to temporarily shut down its network grid. By contrast, even the largest advertising agency could get by without too much damage if it lost its com- puters for a day or longer. However, an ad agency must protect the safety of its key personnel because its human assets are its most significant earnings driver. s t r a t e g y + b u s i n e s s i s s u e 3 0 Consequently, during the diagnostics analysis stage, the to-be resilience state for the retailer would establish that the safeguarding of technology infrastructure is its high- est target for investment, and personnel security is a lower investment target; the ad agency might have the opposite resilience profile. This rating does not imply that the retailer has a lower regard for personnel safety; it simply recognizes that the retailers investments need to be focused on the technology infrastructure because that infrastructure is one of its primary earnings drivers. Step Three: Resilience Strategy. The final phase of an enterprise resilience audit aims to develop a new resilience program based on the analyses of the firms earnings-related risk mitigation needs. The most critical gaps between existing risk management programs and the to-be profile are isolated. After the financial com- mitment needed to close these gaps is determined, a cost-benefit analysis helps rationalize investment needs, finding the optimal balance among components of the risk mitigation effort. Exhibit 3: Corporate Strategy and Risk Integration Factors earnings-driver risks Adapts to new risks environments Extended enterprise view Factors risk interdependencies Transparency Insight Accountability Decision making Execution Measurement Boards of Directors and CEOs Corporate Strategy Risk Strategy Enterprise Resilience Exhibit 2: Determining Earnings-Driver Priorities: A Service Company Example Superb delivery and execution Compliance (regulatory and client confidentiality) Market position/distinctiveness of offering Maintenance of client relationships Intellectual property Sales effectiveness Ability to attract, develop, and retain top staff Global footprint Infrastructure protection Priority Earnings Drivers Capacity management Research and development Market conditions Immediate: Life-Threatening L o w H i g h Longer-Term: More Insidious Immediacy of Impact on Earnings Drivers D e g r e e
o f
C o n t r o l c o n t e n t m a n a g e m e n t 9 c o n t e n t m a n a g e m e n t 10 The cost assessment examines business resilience from three perspectives: people, operations (process and technology), and interdependencies. As an example, an established meat products company might learn that, overall, it has well-protected supply and distribution networks, moderate operations risk thanks to mature crisis and disaster management plans, but weak person- nel security because its hiring and management proce- dures at international subsidiaries are inadequate. On the basis of this evaluation, the company could decide to reduce resources earmarked for disaster management and network oversight and redirect them to improve its recruitment, training, and inspection practices. Other- wise, it increases the risk that a devastating incident will occur (e.g., poor inspection practices could allow tainted meat to reach consumers and cause them to become ill). After setting the gap-closing priorities and develop- ing the full risk mitigation strategy, the executive team should agree on a migration path and gain the boards agreement on a timetable for the institution of near-term and longer-term resilience goals. Over time, enhanced business intelligence and information sharing should be developed to promote greater situational awareness. Risk Is Reality We believe that companies need to adopt a more inte- grated approach to risk management one that links business strategy to enterprise resilience and business continuity planning. Using diagnostic tools, war- gaming, and decision-support capabilities, companies can establish a more effective, continuous, and consis- tent methodology for protecting the enterprise from internal and external risks. The establishment of enterprise resilience should involve not only those routinely responsible for risk management and security, such as the CFO, CIO, and chief security officer, but also the CEO, the business unit general managers, the board of directors, and the boards audit committee. With their collaboration, a new risk management approach can be developed to provide a steady stream of information to the organiza- tions top decision makers about the vulnerability of earnings drivers. (See Exhibit 3.) Done this way, ER planning will improve corporate governance and enhance decision making within a company. Businesses have always faced risks, but recent events have provided dramatic evidence that, in todays econo- my, risk is reality. Not all risks can be anticipated, but they can be managed, by senior executives, boards, and stakeholders working together to create a resilient enter- prise. Stakeholder expectations are higher than ever, and enterprises that are more resilient will experience more rewards from increased customer and partner loyalty to the realization of premiums for improved earnings consistency. + Reprint No. 03107 Shareholder expectations are higher than ever. Resilient companies will reap rewards, from increased partner and customer loyalty to improved earnings consistency. Resources Mark Gerencser and DeAnne Aguirre, Security Grounds the CEO Agenda, s+b, Second Quarter 2002; www.strategy-business.com/press/article/?art=313296&pg=0 Ralph W. Shrader and Mike McConnell, Security and Strategy in the Age of Discontinuity: A Management Framework for the Post-9/11 World, s+b, First Quarter 2002; www.strategy-business.com/press/article/?art=228408&pg=0 Diane L. Coutu, How Resilience Works, Harvard Business Review, May 2002; www.hbsp.harvard.edu Gary Fields, An Ominous War Game, Wall Street Journal, December 4, 2002 Booz Allen Hamilton has been at the forefront of management consulting for businesses and governments for more than 80 years. Booz Allen combines strategy with technology and insight with action, working with clients to deliver results today that endure tomorrow. With over 11,000 employees on six continents, the firm generates annual sales of $2 billion. Booz Allen provides services in strategy, organization, operations, systems, and technology to the worlds leading corporations, government and other public agencies, emerging growth companies, and institutions. To learn more about the firm, visit the Booz Allen Web site at www.boozallen.com. To learn more about the best ideas in business, visit www.strategy-business.com, the Web site for strategy+business, a quarterly journal sponsored by Booz Allen. Booz Allen Global Assurance Campaign Our nation is profoundly dependent on the critical infrastructures that are predominantly owned and operated by the private sector. Government and business leaders have an obligation to create new public-private partnerships to protect our economy and our industries. Resilient organizations align their strategy, operations, management systems, and decision support capabilities to enable them to uncover, adapt to, and improve their responsiveness to disruptionsfor the government, the issue is mission; for industry, the issue is earnings consistency. As this war game showed, together, government and industry can enhance the resilience of global trade. The Global Assurance Team provides enterprise resilience services to businesses, and homeland security consulting services to the U.S. federal and local governments. What Booz Allen Brings Mark Gerencser is a Senior Vice President of Booz Allen Hamilton, specializing in helping clients achieve enterprise resilience to gain a competitive advantage, maintain business continuity, and protect and increase shareholder value. In his 20 years with the frm, he has worked with the Department of Defense, the U.S. intelligence community, and such private sector industries as health care, aerospace and defense, high technology, and media. He can be reached at gerencser_mark@bah.com. Jim Weinberg is a Senior Vice President of Booz Allen Hamilton in our Chicago offce and assists companies in step-change improvement in operations performance through implementing new operating models and technologies. Mr. Weinberg is a co-leader of Booz Allen Hamiltons Enterprise Resilience practice which is forging new frameworks for managing risk in todays dynamic and network-centric business environment. He can be reached at weinberg_jim@bah.com. Abu Dhabi Charles El-Hage 971-2-6-270882 Amsterdam Peter Mensing 31-20-504-1900 Atlanta Joe Garner Joe Garner 404-659-3600 Bangkok Tim Jackson Tim Jackson 66-2-653-2255 Beirut Charles El-Hage 961-1-336433 Berlin Rene Perillieux 49-30-88705-0 Bogot Jaime Maldonado Jaime Maldonado 57-1-313-0202 Boston John Harris John Harris 617-428-4400 Brisbane Tim Jackson Tim Jackson 61-7-3230-6400 Buenos Aires Alejandro Stengel 54-1-14-131-0400 Caracas Jos Gregorio Baquero 58-212-285-3522 Chicago Gary Ahlquist 312-346-1900 Cleveland Les Moeller 216-696-1900 Colorado Springs Glen Bruels 719-597-8005 Copenhagen Kenny Palmberg 45-3393-36-73 Dallas Tim Blansett 214-746-6500 Dsseldorf Thomas Kuenstner 49-211-38900 Frankfurt Rainer Bernnat 49-69-97167-0 Gteborg Bengt Johannesson 46-31-725-93-00 Helsinki Kari Iloranta 358-9-61-54-600 Hong Kong Reg Boudinot 852-2634-1878 Houston Joe Quoyeser 713-650-4100 Jakarta Ian Buchanan 6221-577-0077 Lexington Park Neil Gillespie 301-862-3110 London Peter Bertone 44-20-7393-3333 Los Angeles Tom Hansson 310-297-2100 Madrid Mercedes Mostajo 34-91-5220606 Malm Ingemar Bengtson 46-40-690-31-00 McLean Martin J. Bollinger 703-902-3800 Melbourne Tim Jackson 61-3-9221-1900 Mexico City Alonso Martinez 52-55-9178-4200 Miami Alonso Martinez 305-670-8050 Milan Enrico Strada 390-2-72-50-91 Munich Richard Hauser 49-89-54525-0 New York David Knott 212-697-1900 Oslo Haakon Bjertnaes 47-23-11-39-00 Paris Panos Cavoulacos 33-1-44-34-3131 Philadelphia Molly Finn 267-330-7900 Rio de Janeiro Paolo Pigorini 55-21-2237-8400 Rome Fernando Napolitano 39-06-69-20-73-1 San Diego Foster Rich 619-725-6500 San Francisco Bruce Pasternack 415-391-1900 Santiago Alejandro Stengel 562-445-5100 So Paulo Letcia Costa 55-11-5501-6200 Seoul Jong Chang 82-2-2170-7500 Stockholm Kenny Palmberg 46-8-506-190-00 Sydney Tim Jackson 61-2-9321-1900 Tampa Joe Garner 813-281-4900 Tokyo Eric Spiegel 81-3-3436-8600 Vienna Helmut Meier 43-1-518-22-900 Warsaw Reg Boudinot 48-22-630-6301 Wellington Tim Jackson 64-4-915-7777 Zurich Jens Schedler 41-1-20-64-05-0 2003 Booz Allen Hamilton Inc. Worldwide Offices